Generally speaking, when you have sensitive data that needs to be encrypted, there are two main approaches.
By and far, option 1 is definitely preferred. However, if for some reason option 1 is not feasible, this article describes how to copy an encrypted file to each managed node.
Let's say you used the ansible-vault create command to create a file named passwords.yml that contains sensitive data, perhaps something like this.
test_password: itsasecret
prod_password: hGn4!kD98A
Attempting to view the passwords.yml file using the cat command will display something like this. The ansible-vault view command can be used to view the content of the passwords.yml file.
$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531
Here is an example of how passwords.yml could be used with the copy module.
---
- hosts: all
tasks:
- name: copy passwords.yml to the /usr/local/secure directory
copy:
src: passwords.yml
dest: /usr/local/secure/passwords.yml
owner: root
group: root
mode: 0600
...
Let's say you issue the ansible-playbook command like this.
ansible-playbook foo.yml
The following should be returned.
TASK [copy passwords.yml to the /usr/local/secure directory]
fatal: [server1.example.com]: FAILED! => {"msg": "A vault password or secret must be specified to decrypt passwords.yml"}
Let's append the password that was used to encrypt passwords.yml to a file such as .vault_password.txt.
echo "itsasecret" > .vault_password.txt
And then update .vault_password.txt so that only the owner of the .vault_password.txt file can read and write to the .vault_password.txt file.
chmod 0600 .vault_password.txt
The --vault-password-file command line option can then be included on the command line.
ansible-playbook foo.yml --vault-password-file .vault_password.txt
On each managed node that passwords.yml was copied to, the /usr/local/secure/passwords.yml file will be unencrypted, so that the /usr/local/secure/passwords.yml file contains the following.
test_password: itsasecret
prod_password: hGn4!kD98A